Who Needs to Sign a BAA? HIPAA Rules for Covered Entities, Business Associates, and Subcontractors

Definition of Covered Entities

Before you decide who needs to sign a Business Associate Agreement, start with who HIPAA regulates directly. Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with standard HIPAA Transactions such as claims, eligibility inquiries, or remittance advice.

Covered entities hold primary responsibility for Protected Health Information. Core Covered Entity Obligations span the HIPAA Privacy Rule and Security Rule, including minimum necessary standards, individual rights, risk analysis, and vendor oversight. A covered entity’s employees and volunteers are its “workforce,” not business associates, and do not sign BAAs with their employer.

Examples of covered entities include hospitals, physician practices, dental offices, pharmacies, clinical labs, billing departments of providers that submit electronic claims, health insurers, employer-sponsored group health plans, and third-party administrators acting as a health plan’s workforce. Hybrid organizations may designate HIPAA-covered components while keeping other units outside HIPAA’s scope.

Role of Business Associates

A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity—or provides services to a covered entity that inherently involve PHI. If a vendor needs access to PHI to perform its duties, that vendor is a business associate and must sign a Business Associate Agreement before handling PHI.

Common business associates include revenue cycle and billing companies, EHR and practice management vendors, cloud and data hosting providers, IT managed service providers, e-fax and email platforms that store messages, data analytics firms, transcription services, legal and accounting firms, shredding and archiving vendors, and telehealth, patient engagement, or CRM solutions that maintain ePHI.

Some entities are not business associates. The “conduit” exception is narrow and typically covers entities like the postal service and certain couriers that transport—but do not store—PHI. Most modern cloud and messaging services that retain data are not conduits; they are business associates because they maintain PHI, even if access is restricted technically or contractually.

Responsibilities of Subcontractors

Subcontractors that a business associate engages to create, receive, maintain, or transmit PHI are themselves business associates under HIPAA. They must meet the same requirements and sign a BAA with the upstream business associate. This “flow‑down” ensures Subcontractor Compliance across the entire vendor chain.

Business associates must conduct due diligence on subcontractors, limit disclosures to the minimum necessary, and ensure appropriate administrative, technical, and physical safeguards. The obligations do not diminish as data moves downstream; every party with PHI access is accountable for PHI Safeguarding and breach reporting duties.

Practical steps for managing subcontractors include mapping where PHI flows, verifying security controls (encryption, access management, audit logging), requiring BAAs before onboarding, documenting training, and reserving audit and termination rights in the contract.

Requirements for BAA Signing

When a BAA is required

• Covered entity to business associate: Sign a BAA before the vendor or consultant can access, store, or process PHI in any form (paper, verbal, or electronic).
• Business associate to subcontractor: Sign a BAA before delegating any PHI‑related function downstream.
• Covered entity to another covered entity acting as a business associate: If one covered entity performs services for another that involve PHI (for example, a hospital billing on behalf of an independent physician practice), a BAA is required for that service relationship.
• Ongoing or incidental access: Remote administration, backups, disaster recovery, and systems monitoring that may touch PHI require a BAA even if the vendor claims “read‑only” or limited access.

When a BAA is not required

• Treatment disclosures between covered entities: Sharing PHI for treatment does not require a BAA.
• Disclosures to the individual patient or their personal representative.
• Public health, health oversight, or law enforcement disclosures permitted by the HIPAA Privacy Rule.
• Conduits that merely transport but do not store PHI (a narrow category; most hosted services store data and need a BAA).
• De‑identified data that meets HIPAA’s de‑identification standard.
• Limited data sets used under a Data Use Agreement instead of a BAA, when appropriate.

Timing and scope

Execute the Business Associate Agreement before any PHI flows. The BAA should cover all services performed, all systems and locations where PHI is handled, and the entire term of the engagement. Update the BAA when services change, new subcontractors are added, or security requirements evolve.

Importance of PHI Protection

Protected Health Information is individually identifiable health data—clinical, billing, or demographic—created or used by a covered entity or business associate. PHI includes ePHI and paper or verbal PHI; safeguarding is required across all formats and locations.

Effective PHI Safeguarding rests on layered controls. Administratively, you need policies, workforce training, vendor oversight, risk analysis, and incident response planning. Technically, you should use strong authentication, role‑based access, encryption in transit and at rest, device and key management, audit logging, and timely patching. Physically, protect facilities and hardware, control media, and manage disposal and destruction.

Beyond legal risk, strong security preserves patient trust and business continuity. It reduces breach impact, speeds recovery, and demonstrates a culture of compliance that partners and regulators expect.

HIPAA Compliance Enforcement

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) enforces HIPAA through complaint investigations, breach reports, audits, and compliance reviews. Outcomes can include technical assistance, corrective action plans, resolution agreements, and civil money penalties that scale by culpability under a tiered framework with annual inflation adjustments. Serious violations or wrongful disclosures can lead to Department of Justice criminal enforcement.

OCR expects BAAs to be in place and effective—not just signed. During investigations, OCR may review your risk analysis, access controls, training records, and breach notification practices. The Breach Notification Rule requires notice to affected individuals and regulators without unreasonable delay and no later than 60 calendar days from discovery of a reportable breach.

Enforcement also comes from contracts. Missing or inadequate BAAs can trigger termination rights, indemnification claims, and insurance issues, compounding regulatory exposure with significant business risk.

Key Elements of a BAA

Required provisions

• Permitted and required uses and disclosures: Spell out what the business associate may do with PHI and any limits beyond the Privacy Rule’s minimum necessary standard.
• No unauthorized use or disclosure: Prohibit uses or disclosures not explicitly permitted by the agreement or required by law.
• Safeguards: Require administrative, technical, and physical protections consistent with the Security Rule, including risk analysis, access controls, encryption practices, and monitoring.
• Breach and security incident reporting: Obligate prompt reporting of breaches and suspected incidents, with procedures for investigation, cooperation, and documentation.
• Subcontractors: Mandate that subcontractors agree in writing to the same restrictions and safeguards before handling PHI.
• Individual rights support: Ensure the business associate helps the covered entity provide access, amendments, and an accounting of disclosures when requested.
• Disclosures to HHS: Require cooperation with OCR by making relevant records available for compliance review.
• Return or destruction of PHI: On termination, return or securely destroy PHI, or document why destruction is infeasible and extend protections to retained data.
• Termination for cause: Allow the covered entity to terminate the agreement if the business associate materially breaches the BAA.
• Minimum necessary and role‑based access: Limit PHI to what is needed to perform services and to properly authorized personnel.
• Documentation and retention: Specify how long the business associate must keep required records and audit logs.
• Use of de‑identified data and data aggregation: Permit only as expressly authorized and consistent with HIPAA standards.

Recommended enhancements

• Clear breach notification timelines and content requirements, including cooperation on notices and mitigation.
• Security benchmarks and reporting (e.g., independent assessments, penetration tests, or SOC reports when appropriate).
• Right to audit and remediation plans, including escalation paths and service suspension options.
• Insurance, indemnification, and subcontractor oversight expectations tailored to data volume and risk.

Conclusion

If you create, receive, maintain, or transmit PHI for a covered entity, you need a Business Associate Agreement—whether you are a direct vendor or a downstream subcontractor. Map PHI flows, sign BAAs before access begins, and align safeguards with the HIPAA Privacy Rule and Security Rule. Strong contracts, disciplined security, and vigilant vendor management are the foundation of reliable HIPAA compliance.

FAQs.

Who is considered a business associate under HIPAA?

Any person or organization, outside a covered entity’s workforce, that creates, receives, maintains, or transmits PHI on behalf of a covered entity—or provides services for the covered entity that involve PHI—is a business associate. Typical examples include billing companies, cloud and data hosting providers, EHR vendors, IT support with system access, consultants handling analytics, and professional service firms that access PHI.

When is a BAA required between parties?

A BAA is required before a vendor or subcontractor can access PHI to perform services for a covered entity or for another business associate. It is also required when one covered entity performs a PHI‑related service for another covered entity. A BAA is not required for treatment disclosures between covered entities, disclosures to patients, permitted public health or oversight disclosures, conduit-only transport, de‑identified data, or limited data sets used under a Data Use Agreement.

What are the consequences of not having a BAA?

Absent or inadequate BAAs can lead to OCR investigations, corrective action plans, and significant civil penalties, along with contractual disputes, insurance complications, and reputational harm. Operationally, you may face service interruptions, forced vendor changes, and costly remediation after a breach. Having the right BAA in place—paired with real security controls—substantially reduces these risks.